The website in question takes users to a password authentication page when they click on the members link. After they have provided the correct password it allows them to click on any page, such as a member's directory page. The issue is: when someone just uses Google or any type of search engine, they are able to get to the directory without being prompted for a password.
I am assuming I need to setup all of the unsecured pages to the secured password authenticated one. Could I get some assistance on how to do this?
Option 1: .htaccess files.
Option 2: put an index file (index.php, index.htm, index.html, etc.) in the directory. If they try to just browse to the directory, they'll get that page instead.
Option 3: If you're using IIS you can set the website so that the directory isn't browsable.
Option 4: You can tinker with the chksum values, but chksum seems to be more of a blanket thing.
There are several ways to go about securing a directory - it depends on your hosting environment and what your expected end-result behavior will be.
You can add redirect code in your .htaccess to redirect your domain from http to https.
A sample code would be like this but you need to modify it if it do not work properly.
RewriteEngine on
RewriteCond %{HTTP_HOST} ^yourwebsite\.com$ [OR]
RewriteCond %{HTTP_HOST} ^www\.yourwebsite\.com$
RewriteRule ^(.*)$ "https\:\/\/yourwebsite\.com\/$1"01,L] [R=3
Also, in order for your SSL cert to come back clean all external resources / links must come from https or else there will be a small security flag but your SSL will still be active and accepted.
You can google search for additional methods for using .htaccess
Related
I'd like to create fake subdomains for different users for more vanity, and to make the user (in this case a company) feel they are in a more isolated environment.
For the sake of maintainability, it's important for me that all users still browse the same files, to avoid having to update files for every single user that exists when updating the code.
My website has one public part at root, let's say www.example.com. I'd like to be able to fake the following kind of subdomains:
user1.example.com
The true URL would be www.example.com/member/?user=user1. I'd like for the folder structure to follow the same pattern. www.example.com/member/settings/?user=user1 would appear as user1.example.com/settings/ and so on.
I assume this would best be achieved with .htaccess, no?.
What is the proper .htaccess code for this?
Thank you!
based on the information you've provided here's a bit of .htaccess not tested but might do the job.
RewriteEngine on
RewriteCond %{HTTP_HOST} ^(www\.)?example.com$ [NC]
RewriteCond %{QUERY_STRING} ^user=(.*)$
RewriteRule ^(.*)$ http://%1.example.com/$2? [R=302,L]
Once you find it working fine, replace 302 to 301
Note: It's important to note that you'll need to add a subdomain wildcard
In the end, this was super easy to solve! It wasn't solved the way I first expected though, using .htaccess. I solved it with something called wildcard subdomain.
When you register a new subdomain, enter * in the domain prefix, such as *.example.com. A folder for the wildcard subdomain will be created on your server, such as _wildcard_.example.com. Whenever you access site1.example.com, fakesub.example.com etc, the browser of the visitor will read the files in the wildcard.example.com folder.
The beauty of it all is that if I create a certain subdomain that I want to use, for example forum.example.com, this real subdomain will have priority over the wildcard subdomain, and files will be fetched from the folder for this subdomain, as opposed to from the wildcard subdomain folder.
I use PHP and need to know the subdomain to fetch the appropriate database for the current user. To do this, I use the following code:
$subdomain = explode('.', $_SERVER['HTTP_HOST'])[0]
With a wildcard SSL cert I have all of these subdomains secure.
I have used the following redirect within .htaccess to force HTTPS for a long time with no problem.
RewriteEngine On
RewriteCond %{HTTPS} off
RewriteRule ^(.*) https://%{HTTP_HOST}%{REQUEST_URI} [R=301,L]
However, it seems that Google Chrome's latest update gives me a security warning.
Your connection is not private Attackers might be trying to steal your
information from ofertaclarocloud.com.co (for example, passwords,
messages or credit cards). Learn more
NET::ERR_CERT_COMMON_NAME_INVALID Automatically send some system
information and page content to Google to help detect dangerous apps
and sites. Privacy Policy
Does anyone know any way around this?
(Note: I am using a form on the page. It does not, however, have any sensitive information such as passwords, credit card information, etc. Just a simple form with name, phone, and email.)
(Note 2: I have also tried a few other solutions around StackOverflow to such as this.)
Thanks!
My site hacked and they add url with string "bitsofev" for example:
http://example.com/~bitsofev
http://example.com/~bitsofev/apple.de
Check here for real sample
https://www.google.com/search?safe=off&q=bitsofev&nfpr=1&sa=X&ved=0CBsQvgUoAWoVChMI7LnMiOvIxwIVQpGOCh1T2wC6&biw=1570&bih=899
I tried to redirect it to homepage with htaccess but not working
<IfModule mod_rewrite.c>
RewriteEngine On
RewriteRule ^(.*)~bitsofev(.*)$ http://example.com [L,R=301]
</IfModule>
I tried the same code to redirect other string and it works fine, but not "bitsofev" string. weird.
Best I can do for this is to block on robot.txt but its not solving the problem. What can I do for this?? Where can I fix the original problem? How to redirect it to homepage if I can't find the source?
Additional info: I searched on MySQL db, and I can't find 'bitsofev'.
I have a similar problem. Someone may have added the "/~bitsofev/apple.de" url to my site. A web analytics app track visitors and the content viewed at my site. Like you I don't have many users. Originally I thought that the "/~bitsofev/apple.de" was first accessed sometime last month. I originally also noticed that one of the user at my site registered at nearly the same time. My first thought was to temporarily deny this user access to signing into the site (and interacting with mysql db) while I investigated if this user uploaded a malicious file to the mysql db or exploited some error in the code that I was not aware of. However, I subsequently discovered (I hadn't been monitoring it regularly) a message from google regarding the url "~bitsofev/apple.de" in my admin inbox which predates the web analytics data and the user's registration that I originally thought may have been suspicious.
I will let you know everything further that I ascertain.
I meant to post this as a comment and not an answer. I apologize.
Add the the following to your .htaccess file:
RewriteCond %{THE_REQUEST} ~bitsofev/apple.de($|\ |\?) [NC]
RewriteRule .* - [F]
This will block (403 error) the file and url from being accessed. However, it wont specifically correct the problem.
I believe that was is really happening is that you are using shared hosting at Hostgator and IP 108.167.182.250 / 108.167.182.251
bitsofev (the owner of the site http://bitsofeverything.net/) is another user on the Hostgator shared hosting.
For example, go their website and after .net/ type in the tilde "~" symbol and the your user name (your hostgator user name), e.g, ~username
If I'm correct you'll then see your own website. You can then add a / and folders/files and see those, as well.
This is because Hostgator enables (by default) mod_userdir (Apache server).
The only part I don't understand yet is the apple.de because it doesn't appear to be a folder or file at bitsofeverything.net/
At any rate, I've been writing about this for a couple of months (trying to understand it better) at:
Justinbailey.info: What is /~bitsofev/apple.de added url? Hacked, hacker hacking.
We have our site setup and would like to have a secure members area. (e.g.: https://www.abc.com/members/).
Our host provides us an SSL URL to use for free though it isn't very pretty (www1234.sslurl.com/abc/members/).
Is it possible to use https://www1234.sslurl.com/abc/members/ and rewrite the URL to read as https://www.abc.com/members? If so, I'd appreciate some help with the rule to do this.
Note: This is NOT for a shopping cart and we aren't storing credit cards, or social security numbers or anything sensitive like that. We just want to provide users with a secure browser connection when logging in. Is rewriting the URL unethical?
Added details since someone voted to close my question though I'm not sure why. This is a valid question and is tagged appropriately.
================== SOME CODE I'VE BEGUN WORKING WITH==================
RewriteCond %{HTTP_HOST} abc.com
RewriteCond %{REQUEST_URI} !abc/
RewriteRule ^(.*)$ abc/$1 [L]
Does this look right?
Even if there was a way to do this (and I don't believe that you Apache supports such a redirect), the browser would likely complain anyway. Typically SSL certificates only work for domain.com and www.domain.com. If you try to access that certificate using a different URL, your browser will give an error about the certificate not being trusted.
i need to hide full path and show shortly:
www.site.com/this/is/path/to/hide/page.php --> www.site.com
Any idea to do it with .htaccess apache and rewrite rules??
EXAMPLE:
If i type www.site.com i want open index.php (in /),
but if i go to /hidden/path i want to open file.php (in hidden/path)
mantaining browser url in www.site.com.
EDIT:
i want to see in the browser bar www.site.com and i want to open page at /this/is/path/to/hide/page.php .
thanks
As I explained in : How does url rewrite works? every rewrite triggers a new call to the rewritten URL. (HTTP 3xx code).
So the client will ask for www.site.com/this/is/path/to/hide/page.php, would be redirected to www.site.com and will be served the index page as a normal user.
There is no way to tell the client to display one URL in the browser bar instead of another, client browser will always make a new request. (Or you could impersonate any site for example)
If you are not against the use of a cookie, or can use environment variable you may be able to do something like :
RewriteRule this/is/path/to/hide/page.php / [co:knowHiddenPath=true]
The environment variable as same syntax with E instead of co.
(See http://httpd.apache.org/docs/2.0/mod/mod_rewrite.html for cookie information)
Your index page should then check this cookie/variable to serve the hidden page or not.
Another solution would be to enable access with password to your file. So even if someone know the URL he would not access the file. Security by obscurity is does not exists.
You can I believe do that with an Alias,
Alias / /this/is/path/to/hide/page.php
This directive needs to be in your <VirtualHost>
This will use mod_rewrite and you can put this into your .htaccess
# Activate Rewrite Engine
RewriteEngine On
# Home page rewrite rule
RewriteRule ^$ /this/is/path/to/hide/page.php [QSA,L]
This will ONLY work if you hit website root (e.g. http://www.example.com/)